Wednesday, March 14, 2007

Today John Scott and myself are launching Apex Evangelists, we formed the idea for an Application Express services company during one of our many discussions at Oracle Openworld and over the last few months have honed our idea of what we are going to provide.

The idea behind Apex Evangelists is that we will use our knowledge and experience of Application Express to provide a range of services, some of which are listed here -

Application & Website Development (plus of course hosting)

Training & Coaching (onsite and in our European Training Days)

Application and Database Migrations

Support Services

Our primary goal is to be able to provide these services to the European market and to generally evangelise (hence the name!) about how beneficial using APEX can be to European companies. We also decided that in order to take on bigger projects than just two of us could handle and to also cover more of the European market we would also need to involve other great enthusiastic APEX developers, so we're pleased to announce that Dietmar Aust, Patrick Wolf, Denes Kubicek will be helping us in our quest.

These are very exciting times and I'm sure that there are busy times ahead!

Saturday, March 10, 2007

During one of my chats with John Scott, the question popped up how long we were already playing with APEX. I began searching in my archives...

A short overview of how I got in touch with APEX (aka HTMLDB aka Project Marvel).

In 2000 (I was working at Oracle) I saw a demo of an application made in WEB DB. I didn't play that much with WEB DB, but some of my (ex-)Oracle colleagues really loved it. Nevertheless in some projects around that time I used mod_plsql...

A few years later I saw a powerpoint presentation of "Project Marvel". From the beginning I thought, "waaaw" this looks very good and promissing. I think it was around February 2003 I got more information about this project. I even found a screenshot in my archives from that time.

In September 2003 I first heard the name HTML DB. That was the first time I really played with it, I think it was v1.3. I still have a zip of version 1.4 ;-)I think my first message about APEX (HTMLDB) in the OTN forum was on Oct 1, 2003 2:06 AM. Apparently at that time I was working with v1.4: http://forums.oracle.com/forums/thread.jspa?messageID=554340Raj, at that time one of the HTMLDB developers, answered me!

The rest you know, as it was public: HTML DB v1.5 -> v1.6 -> v2 -> APEX.I also found a pdf describing the history.

To show you the difference, a screenshot of the current APEX version(but that you know, I suppose)

Friday, March 09, 2007

A lot of people still think that ApEx is just a replacement of Excel or Access.But come on! That's changed already for a long time. ApEx is a real development framework! The community already released a lot of applications and sample code. A lot of the people in the ApEx community are sharing their knowledge and experience...

Still not convinced? Have a look at the below application... It's a free application that you can download on the OTN site. The roll-over menu when you click on readme.txt is very nice, as is all the rest in there. This is just one example of what ApEx can do.

Friday, March 02, 2007

This will probably be my last night working on my whitepaper for Collaborate 07. I look forward to get a long night in the weekends!

This night I was not alone! My friend John Scott was also working on his presentation ;-) When you know you're not alone doing these things that need to be done, it's a bit easier. We also triggered each other once and a while. Thanks John to keep me alive!

It's my first whitepaper for a big event, so I thought I should blog about my experience doing that and also to warn the others not to make the same mistake.

I submitted my extract, that's easy... I had also my presentation in my "head" (I thought), so writing this whitepaper shouldn't take that long. That was a *big* mistake, or should I say a miscalculation. ;-)

I started with the concept of what I wanted to tell: ApEx Shared Components, what can they do? and why and how I used them in DG Tournament. A manual is great, but it doesn't show you that specific thing working in a real environment, so I wanted to cover that area.Of course I love some screenshots, as an image says more then thousand words, so I made a lot of them and included it in the whitepaper.

When I was writing things down, I thought: "Will this be interesting enough for the public?", "Does all this get fit in an one hour presentation?" etc.

So, I asked John Scott and Doug Gault to have a look at the very first draft of the paper. They sent me some comments and tips how to improve (thanks guys).That's something I learned from Tom Kyte, he told once that it's important to have good reviewers.I realize now I should have asked more people to read my whitepaper or let them reread the current version. Well, next time I'll try to do better and think about what happened this week.

Finally my Tips & Hints when you want to do your first whitepaper:

Prepare yourself

Know what you want to write about

Know what you want to tell to the audience

Start early

Let good people review your paper

Adapt accordingly

If time becomes an issue: get enough coffee ;-)

This is my advice so far, I wish I had followed all of that myself!If you're having some other tips for me, don't hesitate to put a comment.

Thursday, March 01, 2007

For the third night in a row I'm working on my whitepaper "APEX by Example: Shared Components" for the IOUG Collaborate 07 conference. I need to upload it tomorrow, so no time to loose! Nevertheless I wanted to blog about URL Tampering, which I was investigating when I came to "Session State Protection" in the Shared Components area of ApEx.

For the moment I described it like this in my whitepaper (comments to make it better are welcome):

Session State Protection

Enabling Session State Protection can prevent hackers from tampering with the URLs within your application. URL tampering can adversely affect program logic, session state contents, and information privacy.

In DG Tournament

Why?

For security reasons! URL Tampering - Web based applications, including those developed in Oracle Application Express often pass values from one page to another through a URL. A clever enough user may observe this and override a value by typing his own value in the location field of his browser. For example in DG Tournament, when logged in as Admin, I can see a list of all users. When I click on that user for his details I see the same screen as a normal user would see in the “Your Profile” page. The URL that’s doing that call looks like this:

f?p=103:10:240848379705417::NO::P10_USER_ID:70

My application is 103, on page 10 with session id 240848379705417 (my session has a unique nr) you see at the end: P10_USER_ID:70 which means that my record (Dimitri Gielis) is user_id 70. By putting this in the url, the session knows about this value.When “Session State Protection” is disabled you can easily see another user by changing the url to

f?p=103:10:240848379705417::NO::P10_USER_ID:71

This will give me the record (user) with user_id 71, without passing through the application I can obtain other information.When “Session State Protection” is enabled you get a message like on the above screenshot, which tells you that the session state protection is violated.

How?

At the moment the Session State Protection is disabled.

To enable, disable, or configure Session State Protection using a wizard, click Set Protection.

Click the Enable Session State Protection button

We can see that the Session State Protection is now Enabled

By clicking on the Page button you get following screen

Select the page you want to protect, in DG Tournament for ex. User Detail and change the Page Access Protection.You can also go onto Item level to set the protections.

That will add to the end of the url a checksum. An example of the previous url, but protected:f?p=103:10:240848379705417::NO::P10_USER_ID:70&cs=3831E8EB498FF406064BE08337E72A9DF When you try to change the user_id from 70 to 71 you get a message that the session state protection is violated.